Cloud Security Alliance highlights cloud security momentum and IoT security

When the Cloud Security Alliance (CSA) launched in 2008, the questions around cloud computing centered around whether cloud was secure enough to be trusted, how it could be managed securely and in such a way as to keep regulators happy. There was also plenty of talk about whether cloud would fully displace traditional enterprise data centers.

Today, we know that yes, the public cloud can be secured (reasonably so for many types of data) and that cloud won't completely displace on premise IT systems any time soon. However, the technologies that power the cloud are transforming those data centers into hybrid architectures that consist of traditional enterprise, private, and public cloud environments that will co-exist for years to come.

[ Follow our show coverage from RSA ]

Jim Reavis, CSA co-founder and CEO, says that more enterprises are moving away from "very physically-oriented" architectures to more virtualized environments. "Recently, we are seeing a lot of our enterprise members become big container devotees, and they are looking at how do we think very virtually, and how do we excel at software-defined data centers," Reavis says.

"It's very much a platform battle, and while OpenStack is gaining some momentum, it's still relatively small, and I don't see the enterprises adopting OpenStack rapidly," Reavis says.

What does Reavis see enterprises adopting? Currently a little bit of everything: primarily Software-as-a-Service applications, as well as virtualized private clouds and public cloud. There are also platforms, such as that are gaining traction. "In fact, it's too many platforms, I think, for developers to contend with," says Reavis. "It's why, I think, a lot of them are really interested in containers and technologies like that," he says.

When it comes to helping enterprises choose the most secure cloud services, in 2013, the CSA and the British Standards Institution created the Security Trust and Assurance Registry, or "STAR" certification program. The program aims to standardize how enterprises can vet the security of their existing cloud providers, or those that they are considering. Through the STAR certification program cloud providers are able to submit to a third-party assessment, and those that achieve the certification are listed in the CSA STAR Registry.

Yesterday at the RSA Conference 2015 in San Francisco, the CSA announced that the registry now has more than 100 entries, as cloud providers from across the globe that have sought to meet the security baseline established by the program.

The CSA also unveiled new guidance (.pdf) aimed at helping early adopters understand the security challenges surrounding the Internet of Things (IoT), and provide potential device security measures for enterprises implementing IoT. Recommended security controls detailed in the report include:

  • Analyze privacy impacts to stakeholders and adopt a privacy-by-design approach to IoT development and deployment.
  • Apply a Secure Systems Engineering approach to architecting and deploying a new IoT SoS.
  • Implement layered security protections to defend IoT assets.
  • Define life-cycle controls for IoT devices.
  • Define and implement an authentication/authorization framework for the organization's IoT deployments.
  • Define and implement a logging/audit framework for the organization's IoT ecosystem.
  • Develop safeguards to assure the availability of IoT-based systems and data.
  • Information sharing and support of a global approach to combating security threats by sharing threat information with security vendors, industry peers and Cloud Security Alliance.

"We think the IoT is an area that's not a future thing, it's a current thing because there's so much that's happening in the IoT today. Its adoption is broad and there are many types of embedded devices, whether they're critical infrastructure or personal devices we felt that there is a real need because all of the IoT devices are going to be all cloud-provisioned, cloud-managed and data stored in the cloud," Reavis says.

Join the CSO newsletter!

Error: Please check your email address.

Tags RSA 2015securitycloud security alliancecloud security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place